RESP-gate gets messier

17 Dec 2014

SHARE

RESP-gate gets messier

The Ontario Information and Privacy Commissioner issued an Order Tuesday requiring the Rouge Valley Health System to implement wholesale changes to its electronic information systems while the RESP dealers remain nameless.

Brian Beamish, acting commissioner of IPC issued a statement Tuesday about the review his agency conducted regarding the two privacy breaches that occurred at the hospital which led to charges being laid against former employee Shaida Bandali. WP reported yesterday that Bandali appeared in court last Friday but the case was put off until January 19, 2015.

Beamish and the IPC are clear in their key findings about the seriousness of these breaches, which affected as many as 14,000 patients at the hospital. It found that the hospital’s audit procedures including the functionality of one its electronic information systems were not fully addressed before the second breach was discovered.

That’s terribly damaging news for the hospital because the facts of this case seem to indicate that the alleged defendant’s breach (the second and more serious) could have been partially prevented by expediently addressing the issues and shortcomings of its information systems.

The IPC has ordered the hospital to implement several changes to its auditing and privacy policies and procedures to ensure this doesn’t happen again. Further, it has initiated discussions with the Ontario Ministry of Health in order to develop a streamlined process for commencing prosecutions.

Beamish stated, "Over the last decade we have seen a growing number of privacy breaches involving unauthorized access to personal health information by staff within the health sector… This Order should send a strong message to all health information custodians in Ontario, including hospitals, that they must implement reasonable measures and safeguards to eliminate or reduce the risks that may arise from unauthorized access. The strong message to staff is that there will be serious consequences arising from their actions."

Ottawa lawyers Michael Crystal and Norman Mizobuchi are leading a class action lawsuit on behalf of former patients affected by this serious breach of privacy. Crystal told WP, “As counsel for the plaintiffs in the Rouge Valley action, myself and Mr. Mizobuchi recognize that it is rare for the Information and Privacy Commissioner to issue orders and are very encouraged by these findings. This is a significant development in the case. We remain committed to pursuing a remedy for these families in a court of law."

WP continues to follow this case as it winds its way through the judicial process. For the sake of parents considering RESPs, one can only hope the names of the dealers involved are soon released.

Certainly to disclose private information, especially for personal gain, is unacceptable today. It looks like the Ontario Information and Privacy Commissioner is on the ball. Too bad we can't say the same think for the investment regulators. With all the lawyers at the OSC, one would think this issue could have proceeded at least to the point that the industry perpetrators could be identified. Instead of making new rules, perhaps more focus could be directed toward enforcement of regulations in existence. If there is no specific rule prohibiting the purchase of private information from unauthorized sources, it is another indicator that regulation by specific rule is far inferior to regulating on principal. There is no question the principal of buying unauthorized private information is unacceptable and unprofessional.If the press does not follow their name to press for accountability and improved performance by the regulators, they are without accountability to anyone.